fix: Add nested container support to workspace.nspawn

- Add Capability=all for full capabilities
- Add SystemCallFilter=@keyring bpf for required syscalls
- Set PrivateUsers=no to avoid user namespace issues
- Set SuppressSync=false for Docker compatibility
- Fixes audit errors in nested systemd-nspawn containers

cfg/setup-user.sh

@@ -37,9 +37,13 @@ cat > $ROOTFS/etc/systemd/nspawn/workspace.nspawn <<'EOF'
 [Exec]
 Boot=yes
 ResolvConf=copy-host
+Capability=all
+SystemCallFilter=@keyring bpf
+PrivateUsers=no
 
 [Files]
 Bind=/home/ai:/root
+SuppressSync=false
 
 [Network]
 VirtualEthernet=no